Home

CVE-2020-13696

Description

An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command.

Risk Information

Base Score
4.4
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.044

Associated Vulnerability

VulnerabilityOS Platform
X11 program for watching TV (USN-4518-1) pia_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) pia_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) ttv_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) ttv_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) fbtv_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) fbtv_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) radio_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) radio_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) xawtv_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) xawtv_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) alevtd_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) alevtd_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) scantv_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) scantv_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) webcam_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) webcam_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) streamer_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) streamer_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) v4l-conf_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) v4l-conf_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) xawtv-tools_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) xawtv-tools_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) xawtv-plugins_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) xawtv-plugins_3.103-3+deb8u1build0.16.04.1_amd64.debLinux
X11 program for watching TV (USN-4518-1) xawtv-plugin-qt_3.103-3+deb8u1build0.16.04.1_i386.debLinux
X11 program for watching TV (USN-4518-1) xawtv-plugin-qt_3.103-3+deb8u1build0.16.04.1_amd64.debLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234